Read as
Why this module exists. EDR evasion is the cat-and-mouse game between offensive operators and modern endpoint detection. This module covers the high-level techniques operators use — direct syscalls, AMSI / ETW patching, parent-PID spoofing, BYOVD — and the defender countermeasures.
The EDR detection stack
- User-mode hooks: EDR hooks key API calls (CreateRemoteThread, NtMapViewOfSection, etc.) to inspect arguments.
- Kernel-mode callbacks: PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine notify EDR of process / thread events.
- ETW (Event Tracing for Windows): provides telemetry stream EDR consumes.
- AMSI: Antimalware Scan Interface; PowerShell / WSH content sent to AV for inspection.
- File-based scanning: classic signature / heuristic scanning.
Need a real pentest?
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.
Book VAPT scoping call
Replies in 4 working hrs · India-only · Senior consultants